Hello community, here is the log from the commit of package kdelibs4 for openSUSE:11.4 checked in at Mon Oct 10 12:38:48 CEST 2011.
-------- --- old-versions/11.4/UPDATES/all/kdelibs4/kdelibs4-apidocs.changes 2011-04-11 17:52:46.000000000 +0200 +++ 11.4/kdelibs4/kdelibs4-apidocs.changes 2011-10-05 22:42:12.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Oct 5 20:40:15 UTC 2011 - [email protected] + +- Add patches vs SSL CN display input validation flaw + (CVE-2011-3365) + +------------------------------------------------------------------- --- old-versions/11.4/UPDATES/all/kdelibs4/kdelibs4.changes 2011-04-11 17:52:46.000000000 +0200 +++ 11.4/kdelibs4/kdelibs4.changes 2011-10-05 22:42:12.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Oct 5 20:40:15 UTC 2011 - [email protected] + +- Add patches vs SSL CN display input validation flaw + (CVE-2011-3365) (bnc#721974) + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- 90607b28-kio_http-cn-input-validation.diff 9ca2b26f-kssl-cn-input-validation.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kdelibs4-apidocs.spec ++++++ --- /var/tmp/diff_new_pack.1MW8t4/_old 2011-10-10 12:38:17.000000000 +0200 +++ /var/tmp/diff_new_pack.1MW8t4/_new 2011-10-10 12:38:17.000000000 +0200 @@ -26,7 +26,7 @@ Summary: KDE 4 API documentation Url: http://www.kde.org Version: 4.6.0 -Release: 3.<RELEASE4> +Release: 3.<RELEASE5> Requires: kde4-filesystem Source0: kdelibs-%version.tar.bz2 Source1: baselibs.conf ++++++ kdelibs4.spec ++++++ --- /var/tmp/diff_new_pack.1MW8t4/_old 2011-10-10 12:38:17.000000000 +0200 +++ /var/tmp/diff_new_pack.1MW8t4/_new 2011-10-10 12:38:17.000000000 +0200 @@ -44,7 +44,7 @@ Summary: KDE Base Libraries Url: http://www.kde.org Version: 4.6.0 -Release: 6.<RELEASE15> +Release: 6.<RELEASE17> Requires: soprano >= %( echo `rpm -q --queryformat '%{VERSION}' libsoprano-devel`) Recommends: strigi >= %( echo `rpm -q --queryformat '%{VERSION}' strigi-devel`) Requires: kdelibs4-core = %version @@ -78,6 +78,8 @@ Patch28: no_kbookmark_write_error.diff Patch29: 23621737-ssl-wildcards.diff Patch30: d4098c3e-khtml-xss.diff +Patch31: 9ca2b26f-kssl-cn-input-validation.diff +Patch32: 90607b28-kio_http-cn-input-validation.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %requires_ge libqt4-x11 %if 0%{?opensuse_bs} @@ -169,6 +171,8 @@ %patch28 -p1 %patch29 -p1 %patch30 -p1 +%patch31 -p1 +%patch32 -p1 # # define KDE version exactly # ++++++ 90607b28-kio_http-cn-input-validation.diff ++++++ commit 90607b28d21fefc43657ca08b889bdb174c31fab Author: David Faure <[email protected]> Date: Wed Sep 28 17:26:47 2011 +0200 Use HTML escaping on texts that come from the website Interestingly enough, this is yet another use case for moving Qt::escape to QtCore, which I made a merge request for. (cherry picked from commit 86622e4db182f4b914169f72ebd1e66d708e9f87) diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp index 33f4cb1..6447a02 100644 --- a/kioslave/http/http.cpp +++ b/kioslave/http/http.cpp @@ -99,6 +99,27 @@ //authentication handlers #include "httpauthentication.cpp" +// KDE5 TODO (QT5) : use QString::htmlEscape or whatever https://qt.gitorious.org/qt/qtbase/merge_requests/56 +// ends up with. +static QString htmlEscape(const QString &plain) +{ + QString rich; + rich.reserve(int(plain.length() * 1.1)); + for (int i = 0; i < plain.length(); ++i) { + if (plain.at(i) == QLatin1Char('<')) + rich += QLatin1String("<"); + else if (plain.at(i) == QLatin1Char('>')) + rich += QLatin1String(">"); + else if (plain.at(i) == QLatin1Char('&')) + rich += QLatin1String("&"); + else if (plain.at(i) == QLatin1Char('"')) + rich += QLatin1String("""); + else + rich += plain.at(i); + } + rich.squeeze(); + return rich; +} // see filenameFromUrl(): a sha1 hash is 160 bits static const int s_hashedUrlBits = 160; // this number should always be divisible by eight @@ -3410,7 +3431,7 @@ endParsing: authinfo.url = reqUrl; authinfo.keepPassword = true; authinfo.comment = i18n("<b>%1</b> at <b>%2</b>", - authinfo.realmValue, authinfo.url.host()); + htmlEscape(authinfo.realmValue), authinfo.url.host()); if (!openPasswordDialog(authinfo, errorMsg)) { if (sendErrorPageNotification()) { @@ -5122,7 +5143,7 @@ void HTTPProtocol::proxyAuthenticationForSocket(const QNetworkProxy &proxy, QAut "to access any sites."); info.keepPassword = true; info.commentLabel = i18n("Proxy:"); - info.comment = i18n("<b>%1</b> at <b>%2</b>", info.realmValue, m_request.proxyUrl.host()); + info.comment = i18n("<b>%1</b> at <b>%2</b>", htmlEscape(info.realmValue), m_request.proxyUrl.host()); const bool dataEntered = openPasswordDialog(info, i18n("Proxy Authentication Failed.")); if (!dataEntered) { kDebug(7103) << "looks like the user canceled proxy authentication."; ++++++ 9ca2b26f-kssl-cn-input-validation.diff ++++++ commit 9ca2b26fc67c3f921e1943c1725fca623e395854 Author: David Faure <[email protected]> Date: Thu Jun 30 23:43:45 2011 +0200 Security fix: don't interpret html tags Credits to Tim Brown for the find. (cherry picked from commit bd70d4e589711fda9ab07738c46e37eee8376214) diff --git a/kio/kssl/ksslcertificatebox.cpp b/kio/kssl/ksslcertificatebox.cpp index 4ffc613..094787a 100644 --- a/kio/kssl/ksslcertificatebox.cpp +++ b/kio/kssl/ksslcertificatebox.cpp @@ -36,6 +36,10 @@ KSslCertificateBox::KSslCertificateBox(QWidget *parent) d(new KSslCertificateBoxPrivate()) { d->ui.setupUi(this); + // No fooling us with html tags + Q_FOREACH(QLabel* label, qFindChildren<QLabel *>(this)) { + label->setTextFormat(Qt::PlainText); + } } continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
